Basics of CrackMe With Sample and Example - Part 2

This is an article on Basics of CrackMe With Sample and Example - Part 2 in Unix.

Rated 5.00 By 1 users

As the title suggests it is continuation of Basics of CrackMe With Sample and Example. I assume a working knowledge of GDB and ASM as basics. In this article we'll be cracking a simple application that is more advanced to the previous one..

In this article I take the cracking a step further by cracking applications on crackmes.de
As we dont want to get stressed and jump of to the advanced level directly lets just start with a basic app ...We'll be using A Simple Crackme

This app uses ptrace() syscall this is used to track the child processes by the parent the basic functionality can be checked out here or 'by checking out the header files'

Ok … So from the first few lines we know that the program is using the argument stack of the main program (The argv[]) … And after that we see some interesting syscalls one is to the getpid() this should be to check whether this is parent or child process..

Another syscall is the ptrace() one... As we notice that the ptrace() is called while 4 arguments on the stack and all are 0..

So the call actually means

Code:

ptrace(0,0,0,0);

You should know what it means if you check out the man pages for ptrace()

And while reading the rest of the code..You should have noticed that the program compares the 2 strings in esi and edi

Code:

0x08048474 <+68>: repz cmps BYTE PTR ds:[esi],BYTE PTR es:[edi]

and jumps if equal to the main+128

Code:

0x08048476 <+70>: je 0x80484b0 <main+128>

In main+128 you would have noticed a puts call and it seems this is where we have to jump... Let us verify.

To examine some registers and some addresses we have to run the program and break it at the beginning...because as it is running a ptrace() the program would not allow debugging after that instruction..

The code calls the puts() function with 0x80485e3 as argument this argument is likely to contain the string.. Let us examine.

Code:

(gdb) x/1s 0x80485e3
0x80485e3: "[!] Solved!"

Ok... SO we are on the right path all we have to do is that we have to match the strings in edi and esi...

In the first few lines you all would have noticed

Code:

0x08048442 <+18>: mov edi,0x80485d4

Lets check the address's value

Code:

(gdb) x/1s 0x80485d4
0x80485d4: "__gmon_start__"

Ok so we need __gmon_start__ in the esi too...

Lets see what esi contains

Code:

0x08048471 <+65>: mov esi,DWORD PTR [edx+0x4]

Ok now we have to track edx

Code:

0x08048469 <+57>: mov edx,DWORD PTR [ebp+0xc]

So from this its quite basic that the esi is simply affected by the argument vector of the program (The argv[1])

Let us do this

Code:

(gdb) run __gmon_start__
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/aneesh/Desktop/crackme1 __gmon_start__
Breakpoint 1, 0x08048439 in main ()
(gdb) s
Single stepping until exit from function main,
which has no line number information.
[!] Solved!
Program exited normally.
(gdb)